<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="generator" content="AsciiDoc 8.6.9">
<title>UACME(1)</title>
<style type="text/css">
/* Shared CSS for AsciiDoc xhtml11 and html5 backends */

/* Default font. */
body {
  font-family: Georgia,serif;
}

/* Title font. */
h1, h2, h3, h4, h5, h6,
div.title, caption.title,
thead, p.table.header,
#toctitle,
#author, #revnumber, #revdate, #revremark,
#footer {
  font-family: Arial,Helvetica,sans-serif;
}

body {
  margin: 1em 5% 1em 5%;
}

a {
  color: blue;
  text-decoration: underline;
}
a:visited {
  color: fuchsia;
}

em {
  font-style: italic;
  color: navy;
}

strong {
  font-weight: bold;
  color: #083194;
}

h1, h2, h3, h4, h5, h6 {
  color: #527bbd;
  margin-top: 1.2em;
  margin-bottom: 0.5em;
  line-height: 1.3;
}

h1, h2, h3 {
  border-bottom: 2px solid silver;
}
h2 {
  padding-top: 0.5em;
}
h3 {
  float: left;
}
h3 + * {
  clear: left;
}
h5 {
  font-size: 1.0em;
}

div.sectionbody {
  margin-left: 0;
}

hr {
  border: 1px solid silver;
}

p {
  margin-top: 0.5em;
  margin-bottom: 0.5em;
}

ul, ol, li > p {
  margin-top: 0;
}
ul > li     { color: #aaa; }
ul > li > * { color: black; }

.monospaced, code, pre {
  font-family: "Courier New", Courier, monospace;
  font-size: inherit;
  color: navy;
  padding: 0;
  margin: 0;
}
pre {
  white-space: pre-wrap;
}

#author {
  color: #527bbd;
  font-weight: bold;
  font-size: 1.1em;
}
#email {
}
#revnumber, #revdate, #revremark {
}

#footer {
  font-size: small;
  border-top: 2px solid silver;
  padding-top: 0.5em;
  margin-top: 4.0em;
}
#footer-text {
  float: left;
  padding-bottom: 0.5em;
}
#footer-badges {
  float: right;
  padding-bottom: 0.5em;
}

#preamble {
  margin-top: 1.5em;
  margin-bottom: 1.5em;
}
div.imageblock, div.exampleblock, div.verseblock,
div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,
div.admonitionblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.admonitionblock {
  margin-top: 2.0em;
  margin-bottom: 2.0em;
  margin-right: 10%;
  color: #606060;
}

div.content { /* Block element content. */
  padding: 0;
}

/* Block element titles. */
div.title, caption.title {
  color: #527bbd;
  font-weight: bold;
  text-align: left;
  margin-top: 1.0em;
  margin-bottom: 0.5em;
}
div.title + * {
  margin-top: 0;
}

td div.title:first-child {
  margin-top: 0.0em;
}
div.content div.title:first-child {
  margin-top: 0.0em;
}
div.content + div.title {
  margin-top: 0.0em;
}

div.sidebarblock > div.content {
  background: #ffffee;
  border: 1px solid #dddddd;
  border-left: 4px solid #f0f0f0;
  padding: 0.5em;
}

div.listingblock > div.content {
  border: 1px solid #dddddd;
  border-left: 5px solid #f0f0f0;
  background: #f8f8f8;
  padding: 0.5em;
}

div.quoteblock, div.verseblock {
  padding-left: 1.0em;
  margin-left: 1.0em;
  margin-right: 10%;
  border-left: 5px solid #f0f0f0;
  color: #888;
}

div.quoteblock > div.attribution {
  padding-top: 0.5em;
  text-align: right;
}

div.verseblock > pre.content {
  font-family: inherit;
  font-size: inherit;
}
div.verseblock > div.attribution {
  padding-top: 0.75em;
  text-align: left;
}
/* DEPRECATED: Pre version 8.2.7 verse style literal block. */
div.verseblock + div.attribution {
  text-align: left;
}

div.admonitionblock .icon {
  vertical-align: top;
  font-size: 1.1em;
  font-weight: bold;
  text-decoration: underline;
  color: #527bbd;
  padding-right: 0.5em;
}
div.admonitionblock td.content {
  padding-left: 0.5em;
  border-left: 3px solid #dddddd;
}

div.exampleblock > div.content {
  border-left: 3px solid #dddddd;
  padding-left: 0.5em;
}

div.imageblock div.content { padding-left: 0; }
span.image img { border-style: none; vertical-align: text-bottom; }
a.image:visited { color: white; }

dl {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
dt {
  margin-top: 0.5em;
  margin-bottom: 0;
  font-style: normal;
  color: navy;
}
dd > *:first-child {
  margin-top: 0.1em;
}

ul, ol {
    list-style-position: outside;
}
ol.arabic {
  list-style-type: decimal;
}
ol.loweralpha {
  list-style-type: lower-alpha;
}
ol.upperalpha {
  list-style-type: upper-alpha;
}
ol.lowerroman {
  list-style-type: lower-roman;
}
ol.upperroman {
  list-style-type: upper-roman;
}

div.compact ul, div.compact ol,
div.compact p, div.compact p,
div.compact div, div.compact div {
  margin-top: 0.1em;
  margin-bottom: 0.1em;
}

tfoot {
  font-weight: bold;
}
td > div.verse {
  white-space: pre;
}

div.hdlist {
  margin-top: 0.8em;
  margin-bottom: 0.8em;
}
div.hdlist tr {
  padding-bottom: 15px;
}
dt.hdlist1.strong, td.hdlist1.strong {
  font-weight: bold;
}
td.hdlist1 {
  vertical-align: top;
  font-style: normal;
  padding-right: 0.8em;
  color: navy;
}
td.hdlist2 {
  vertical-align: top;
}
div.hdlist.compact tr {
  margin: 0;
  padding-bottom: 0;
}

.comment {
  background: yellow;
}

.footnote, .footnoteref {
  font-size: 0.8em;
}

span.footnote, span.footnoteref {
  vertical-align: super;
}

#footnotes {
  margin: 20px 0 20px 0;
  padding: 7px 0 0 0;
}

#footnotes div.footnote {
  margin: 0 0 5px 0;
}

#footnotes hr {
  border: none;
  border-top: 1px solid silver;
  height: 1px;
  text-align: left;
  margin-left: 0;
  width: 20%;
  min-width: 100px;
}

div.colist td {
  padding-right: 0.5em;
  padding-bottom: 0.3em;
  vertical-align: top;
}
div.colist td img {
  margin-top: 0.3em;
}

@media print {
  #footer-badges { display: none; }
}

#toc {
  margin-bottom: 2.5em;
}

#toctitle {
  color: #527bbd;
  font-size: 1.1em;
  font-weight: bold;
  margin-top: 1.0em;
  margin-bottom: 0.1em;
}

div.toclevel0, div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {
  margin-top: 0;
  margin-bottom: 0;
}
div.toclevel2 {
  margin-left: 2em;
  font-size: 0.9em;
}
div.toclevel3 {
  margin-left: 4em;
  font-size: 0.9em;
}
div.toclevel4 {
  margin-left: 6em;
  font-size: 0.9em;
}

span.aqua { color: aqua; }
span.black { color: black; }
span.blue { color: blue; }
span.fuchsia { color: fuchsia; }
span.gray { color: gray; }
span.green { color: green; }
span.lime { color: lime; }
span.maroon { color: maroon; }
span.navy { color: navy; }
span.olive { color: olive; }
span.purple { color: purple; }
span.red { color: red; }
span.silver { color: silver; }
span.teal { color: teal; }
span.white { color: white; }
span.yellow { color: yellow; }

span.aqua-background { background: aqua; }
span.black-background { background: black; }
span.blue-background { background: blue; }
span.fuchsia-background { background: fuchsia; }
span.gray-background { background: gray; }
span.green-background { background: green; }
span.lime-background { background: lime; }
span.maroon-background { background: maroon; }
span.navy-background { background: navy; }
span.olive-background { background: olive; }
span.purple-background { background: purple; }
span.red-background { background: red; }
span.silver-background { background: silver; }
span.teal-background { background: teal; }
span.white-background { background: white; }
span.yellow-background { background: yellow; }

span.big { font-size: 2em; }
span.small { font-size: 0.6em; }

span.underline { text-decoration: underline; }
span.overline { text-decoration: overline; }
span.line-through { text-decoration: line-through; }

div.unbreakable { page-break-inside: avoid; }


/*
 * xhtml11 specific
 *
 * */

div.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
div.tableblock > table {
  border: 3px solid #527bbd;
}
thead, p.table.header {
  font-weight: bold;
  color: #527bbd;
}
p.table {
  margin-top: 0;
}
/* Because the table frame attribute is overriden by CSS in most browsers. */
div.tableblock > table[frame="void"] {
  border-style: none;
}
div.tableblock > table[frame="hsides"] {
  border-left-style: none;
  border-right-style: none;
}
div.tableblock > table[frame="vsides"] {
  border-top-style: none;
  border-bottom-style: none;
}


/*
 * html5 specific
 *
 * */

table.tableblock {
  margin-top: 1.0em;
  margin-bottom: 1.5em;
}
thead, p.tableblock.header {
  font-weight: bold;
  color: #527bbd;
}
p.tableblock {
  margin-top: 0;
}
table.tableblock {
  border-width: 3px;
  border-spacing: 0px;
  border-style: solid;
  border-color: #527bbd;
  border-collapse: collapse;
}
th.tableblock, td.tableblock {
  border-width: 1px;
  padding: 4px;
  border-style: solid;
  border-color: #527bbd;
}

table.tableblock.frame-topbot {
  border-left-style: hidden;
  border-right-style: hidden;
}
table.tableblock.frame-sides {
  border-top-style: hidden;
  border-bottom-style: hidden;
}
table.tableblock.frame-none {
  border-style: hidden;
}

th.tableblock.halign-left, td.tableblock.halign-left {
  text-align: left;
}
th.tableblock.halign-center, td.tableblock.halign-center {
  text-align: center;
}
th.tableblock.halign-right, td.tableblock.halign-right {
  text-align: right;
}

th.tableblock.valign-top, td.tableblock.valign-top {
  vertical-align: top;
}
th.tableblock.valign-middle, td.tableblock.valign-middle {
  vertical-align: middle;
}
th.tableblock.valign-bottom, td.tableblock.valign-bottom {
  vertical-align: bottom;
}


/*
 * manpage specific
 *
 * */

body.manpage h1 {
  padding-top: 0.5em;
  padding-bottom: 0.5em;
  border-top: 2px solid silver;
  border-bottom: 2px solid silver;
}
body.manpage h2 {
  border-style: none;
}
body.manpage div.sectionbody {
  margin-left: 3em;
}

@media print {
  body.manpage div#toc { display: none; }
}


</style>
<script type="text/javascript">
/*<![CDATA[*/
var asciidoc = {  // Namespace.

/////////////////////////////////////////////////////////////////////
// Table Of Contents generator
/////////////////////////////////////////////////////////////////////

/* Author: Mihai Bazon, September 2002
 * http://students.infoiasi.ro/~mishoo
 *
 * Table Of Content generator
 * Version: 0.4
 *
 * Feel free to use this script under the terms of the GNU General Public
 * License, as long as you do not remove or alter this notice.
 */

 /* modified by Troy D. Hanson, September 2006. License: GPL */
 /* modified by Stuart Rackham, 2006, 2009. License: GPL */

// toclevels = 1..4.
toc: function (toclevels) {

  function getText(el) {
    var text = "";
    for (var i = el.firstChild; i != null; i = i.nextSibling) {
      if (i.nodeType == 3 /* Node.TEXT_NODE */) // IE doesn't speak constants.
        text += i.data;
      else if (i.firstChild != null)
        text += getText(i);
    }
    return text;
  }

  function TocEntry(el, text, toclevel) {
    this.element = el;
    this.text = text;
    this.toclevel = toclevel;
  }

  function tocEntries(el, toclevels) {
    var result = new Array;
    var re = new RegExp('[hH]([1-'+(toclevels+1)+'])');
    // Function that scans the DOM tree for header elements (the DOM2
    // nodeIterator API would be a better technique but not supported by all
    // browsers).
    var iterate = function (el) {
      for (var i = el.firstChild; i != null; i = i.nextSibling) {
        if (i.nodeType == 1 /* Node.ELEMENT_NODE */) {
          var mo = re.exec(i.tagName);
          if (mo && (i.getAttribute("class") || i.getAttribute("className")) != "float") {
            result[result.length] = new TocEntry(i, getText(i), mo[1]-1);
          }
          iterate(i);
        }
      }
    }
    iterate(el);
    return result;
  }

  var toc = document.getElementById("toc");
  if (!toc) {
    return;
  }

  // Delete existing TOC entries in case we're reloading the TOC.
  var tocEntriesToRemove = [];
  var i;
  for (i = 0; i < toc.childNodes.length; i++) {
    var entry = toc.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div'
     && entry.getAttribute("class")
     && entry.getAttribute("class").match(/^toclevel/))
      tocEntriesToRemove.push(entry);
  }
  for (i = 0; i < tocEntriesToRemove.length; i++) {
    toc.removeChild(tocEntriesToRemove[i]);
  }

  // Rebuild TOC entries.
  var entries = tocEntries(document.getElementById("content"), toclevels);
  for (var i = 0; i < entries.length; ++i) {
    var entry = entries[i];
    if (entry.element.id == "")
      entry.element.id = "_toc_" + i;
    var a = document.createElement("a");
    a.href = "#" + entry.element.id;
    a.appendChild(document.createTextNode(entry.text));
    var div = document.createElement("div");
    div.appendChild(a);
    div.className = "toclevel" + entry.toclevel;
    toc.appendChild(div);
  }
  if (entries.length == 0)
    toc.parentNode.removeChild(toc);
},


/////////////////////////////////////////////////////////////////////
// Footnotes generator
/////////////////////////////////////////////////////////////////////

/* Based on footnote generation code from:
 * http://www.brandspankingnew.net/archive/2005/07/format_footnote.html
 */

footnotes: function () {
  // Delete existing footnote entries in case we're reloading the footnodes.
  var i;
  var noteholder = document.getElementById("footnotes");
  if (!noteholder) {
    return;
  }
  var entriesToRemove = [];
  for (i = 0; i < noteholder.childNodes.length; i++) {
    var entry = noteholder.childNodes[i];
    if (entry.nodeName.toLowerCase() == 'div' && entry.getAttribute("class") == "footnote")
      entriesToRemove.push(entry);
  }
  for (i = 0; i < entriesToRemove.length; i++) {
    noteholder.removeChild(entriesToRemove[i]);
  }

  // Rebuild footnote entries.
  var cont = document.getElementById("content");
  var spans = cont.getElementsByTagName("span");
  var refs = {};
  var n = 0;
  for (i=0; i<spans.length; i++) {
    if (spans[i].className == "footnote") {
      n++;
      var note = spans[i].getAttribute("data-note");
      if (!note) {
        // Use [\s\S] in place of . so multi-line matches work.
        // Because JavaScript has no s (dotall) regex flag.
        note = spans[i].innerHTML.match(/\s*\[([\s\S]*)]\s*/)[1];
        spans[i].innerHTML =
          "[<a id='_footnoteref_" + n + "' href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
        spans[i].setAttribute("data-note", note);
      }
      noteholder.innerHTML +=
        "<div class='footnote' id='_footnote_" + n + "'>" +
        "<a href='#_footnoteref_" + n + "' title='Return to text'>" +
        n + "</a>. " + note + "</div>";
      var id =spans[i].getAttribute("id");
      if (id != null) refs["#"+id] = n;
    }
  }
  if (n == 0)
    noteholder.parentNode.removeChild(noteholder);
  else {
    // Process footnoterefs.
    for (i=0; i<spans.length; i++) {
      if (spans[i].className == "footnoteref") {
        var href = spans[i].getElementsByTagName("a")[0].getAttribute("href");
        href = href.match(/#.*/)[0];  // Because IE return full URL.
        n = refs[href];
        spans[i].innerHTML =
          "[<a href='#_footnote_" + n +
          "' title='View footnote' class='footnote'>" + n + "</a>]";
      }
    }
  }
},

install: function(toclevels) {
  var timerId;

  function reinstall() {
    asciidoc.footnotes();
    if (toclevels) {
      asciidoc.toc(toclevels);
    }
  }

  function reinstallAndRemoveTimer() {
    clearInterval(timerId);
    reinstall();
  }

  timerId = setInterval(reinstall, 500);
  if (document.addEventListener)
    document.addEventListener("DOMContentLoaded", reinstallAndRemoveTimer, false);
  else
    window.onload = reinstallAndRemoveTimer;
}

}
asciidoc.install();
/*]]>*/
</script>
</head>
<body class="manpage">
<div id="header">
<h1>
UACME(1) Manual Page
</h1>
<h2>NAME</h2>
<div class="sectionbody">
<p>uacme -
   ACMEv2 client written in plain C with minimal dependencies
</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>uacme</strong> [<strong>-a</strong>|<strong>--acme-url</strong> <em>URL</em>] [<strong>-b</strong>|<strong>--bits</strong> <em>BITS</em>]
    [<strong>-c</strong>|<strong>--confdir</strong> <em>DIR</em>] [<strong>-d</strong>|<strong>--days</strong> <em>DAYS</em>] [<strong>-e</strong>|<strong>--eab</strong> KEYID:KEY]
    [<strong>-f</strong>|<strong>--force</strong>] [<strong>-h</strong>|<strong>--hook</strong> <em>PROGRAM</em>] [<strong>-l</strong>|<strong>--alternate</strong> <em>N</em> | <em>FP</em>]
    [<strong>-m</strong>|<strong>--must-staple</strong>] [<strong>-n</strong>|<strong>--never-create</strong>] [<strong>-o</strong>|<strong>--no-ocsp</strong>]
    [<strong>-s</strong>|<strong>--staging</strong>] [<strong>-t</strong>|<strong>--type</strong> <strong>RSA</strong>|<strong>EC</strong>] [<strong>-v</strong>|<strong>--verbose</strong> &#8230;]
    [<strong>-V</strong>|<strong>--version</strong>] [<strong>-y</strong>|<strong>--yes</strong>] [<strong>-?</strong>|<strong>--help</strong>]
    <strong>new</strong> [<em>EMAIL</em>] | <strong>update</strong> [<em>EMAIL</em>] | <strong>deactivate</strong> | <strong>newkey</strong> |
    <strong>issue</strong> <em>IDENTIFIER</em> [<em>ALTNAME</em> &#8230;]] | <strong>issue</strong> <em>CSRFILE</em> |
    <strong>revoke</strong> <em>CERTFILE</em> [<em>CERTKEYFILE</em>]</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>uacme</strong> is a client for the ACMEv2 protocol described in RFC8555,
written in plain C with minimal dependencies (libcurl and one of
GnuTLS, OpenSSL or mbedTLS). The ACMEv2 protocol allows a
Certificate Authority (<a href="https://letsencrypt.org">https://letsencrypt.org</a> is a popular one)
and an applicant to automate the process of verification and certificate
issuance. The protocol also provides facilities for other certificate
management functions, such as certificate revocation. For more
information see <a href="https://tools.ietf.org/html/rfc8555">https://tools.ietf.org/html/rfc8555</a></p></div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist"><dl>
<dt class="hdlist1">
<strong>-a, --acme-url</strong> <em>URL</em>
</dt>
<dd>
<p>
    ACMEv2 server directory object <em>URL</em>. If not specified <strong>uacme</strong>
    uses one of the following:
</p>
<div class="dlist"><dl>
<dt class="hdlist1">
<em>https://acme-v02.api.letsencrypt.org/directory</em>
</dt>
<dd>
<p>
production URL
</p>
</dd>
<dt class="hdlist1">
<em>https://acme-staging-v02.api.letsencrypt.org/directory</em>
</dt>
<dd>
<p>
    staging URL (see <strong>-s, --staging</strong> below)
</p>
</dd>
</dl></div>
</dd>
<dt class="hdlist1">
<strong>-b, --bits</strong> <em>BITS</em>
</dt>
<dd>
<p>
    key bit length (default 2048 for RSA, 256 for EC). Only applies
    to newly generated keys. RSA key length must be a multiple of 8
    between 2048 and 8192. EC key length must be either 256
    (<strong>NID_X9_62_prime256v1</strong> curve) or 384 (<strong>NID_secp384r1</strong> curve).
</p>
</dd>
<dt class="hdlist1">
<strong>-c, --confdir</strong> <em>CONFDIR</em>
</dt>
<dd>
<p>
    Use configuration directory <em>CONFDIR</em> (default <em>/etc/ssl/uacme</em>).
    The structure is as follows (multiple <em>IDENTIFIERs</em> allowed)
</p>
<div class="dlist"><dl>
<dt class="hdlist1">
<em>CONFDIR/private/key.pem</em>
</dt>
<dd>
<p>
ACME account private key
</p>
</dd>
<dt class="hdlist1">
<em>CONFDIR/private/IDENTIFIER/key.pem</em>
</dt>
<dd>
<p>
certificate key for
        <em>IDENTIFIER</em>
</p>
</dd>
<dt class="hdlist1">
<em>CONFDIR/IDENTIFIER/cert.pem</em>
</dt>
<dd>
<p>
certificate for <em>IDENTIFIER</em>
</p>
</dd>
</dl></div>
</dd>
<dt class="hdlist1">
<strong>-d, --days</strong> <em>DAYS</em>
</dt>
<dd>
<p>
    Do not reissue certificates that are still valid for longer
    than <em>DAYS</em> (default 30). See also <strong>-o, --no-ocsp</strong>.
</p>
</dd>
<dt class="hdlist1">
<strong>-e, --eab</strong> <em>KEYID:KEY</em>
</dt>
<dd>
<p>
    Specify RFC8555 External Account Binding credentials according
    to <a href="https://tools.ietf.org/html/rfc8555#section-7.3.4">https://tools.ietf.org/html/rfc8555#section-7.3.4</a>, in order
    to associate a new ACME account with an existing account in a
    non-ACME system such as a CA customer database.
    <em>KEYID</em> must be an ASCII string. <em>KEY</em> must be base64url-encoded.
</p>
</dd>
<dt class="hdlist1">
<strong>-f, --force</strong>
</dt>
<dd>
<p>
    Force certificate reissuance regardless of expiration date.
</p>
</dd>
<dt class="hdlist1">
<strong>-h, --hook</strong> <em>PROGRAM</em>
</dt>
<dd>
<p>
    Challenge hook program. If not specified <strong>uacme</strong> interacts with
    the user for every ACME challenge, printing information about the
    challenge type, token and authorization on stderr.  If specified
    <strong>uacme</strong> executes <em>PROGRAM</em> (a binary, a shell script or any file that
    can be executed by the operating system) for every challenge with
    the following 5 string arguments:
</p>
<div class="dlist"><dl>
<dt class="hdlist1">
<em>METHOD</em>
</dt>
<dd>
<p>
one of <strong>begin</strong>, <strong>done</strong> or <strong>failed</strong>.
</p>
<div class="dlist"><dl>
<dt class="hdlist1">
<strong>begin</strong>
</dt>
<dd>
<p>
is called at the beginning of the challenge.
           <em>PROGRAM</em> must return 0 to accept it. Any other return
           code declines the challenge. Neither <strong>done</strong> nor <strong>failed</strong>
           method calls are made for declined challenges.
</p>
</dd>
<dt class="hdlist1">
<strong>done</strong>
</dt>
<dd>
<p>
is called upon successful completion of an
           accepted challenge.
</p>
</dd>
<dt class="hdlist1">
<strong>failed</strong>
</dt>
<dd>
<p>
is called upon failure of an accepted challenge.
</p>
</dd>
</dl></div>
</dd>
<dt class="hdlist1">
<em>TYPE</em>
</dt>
<dd>
<p>
challenge type (<strong>dns-01</strong>, <strong>http-01</strong> or <strong>tls-alpn-01</strong>)
</p>
</dd>
<dt class="hdlist1">
<em>IDENT</em>
</dt>
<dd>
<p>
The identifier the challenge refers to
</p>
</dd>
<dt class="hdlist1">
<em>TOKEN</em>
</dt>
<dd>
<p>
The challenge token
</p>
</dd>
<dt class="hdlist1">
<em>AUTH</em>
</dt>
<dd>
<p>
The key authorization (for <strong>dns-01</strong> and <strong>tls-alpn-01</strong>
           already converted to the base64url-encoded SHA256 digest format)
</p>
</dd>
</dl></div>
</dd>
<dt class="hdlist1">
<strong>-l, --alternate</strong> <em>N</em> | <em>FP</em>
</dt>
<dd>
<p>
    According to <a href="https://tools.ietf.org/html/rfc8555#section-7.4.2">https://tools.ietf.org/html/rfc8555#section-7.4.2</a>
    the server MAY provide one or more additional certificate download URLs,
    each pointing to alternative certificate chains starting with the same
    end-entity certificate. This option allows selecting one such chain
    in one of two ways. A positive integer <em>N</em> makes <strong>uacme</strong> select the Nth
    alternative chain in the order presented by the server.
    A colon (<em>:</em>) separated list of two or more 2-digit hexadecimal numbers
    <em>FP</em> makes <strong>uacme</strong> select the first alternative chain containing a
    certificate whose SHA256 fingerprint begins with <em>FP</em>.
    In both cases <strong>uacme</strong> falls back to the main certificate URL if it cannot
    match an alternative chain or the download thereof fails.
</p>
</dd>
<dt class="hdlist1">
<strong>-m, --must-staple</strong>
</dt>
<dd>
<p>
    Request certificates with the RFC7633 Certificate Status Request
    TLS Feature Extension, informally also known as "OCSP Must-Staple".
    This option is ignored when using an externally supplied Certificate
    Signing Request file (see USAGE below).
</p>
</dd>
<dt class="hdlist1">
<strong>-n, --never-create</strong>
</dt>
<dd>
<p>
    By default <strong>uacme</strong> creates directories/keys if they do not exist.
    When this option is specified <strong>uacme</strong> never does so and instead
    exits with an error if anything required is missing.
</p>
</dd>
<dt class="hdlist1">
<strong>-o, --no-ocsp</strong>
</dt>
<dd>
<p>
    When this flag is <strong>not</strong> specified and the certificate has an
    Authority Information Access extension with an OCSP server location
    according to <a href="https://tools.ietf.org/html/rfc5280#section-4.2.2.1">https://tools.ietf.org/html/rfc5280#section-4.2.2.1</a>
    <strong>uacme</strong> makes an OCSP request to the server; if the certificate is
    reported as revoked <strong>uacme</strong> forces reissuance regardless of the
    expiration date. See also <strong>-d, --days</strong>.
</p>
</dd>
<dt class="hdlist1">
<strong>-s, --staging</strong>
</dt>
<dd>
<p>
    Use Let&#8217;s Encrypt staging URL for testing. This only works if
    <strong>-a, --acme-url</strong> is <strong>NOT</strong> specified.
</p>
</dd>
<dt class="hdlist1">
<strong>-t, --type</strong>=<em>RSA</em> | <em>EC</em>
</dt>
<dd>
<p>
    Key type, either RSA or EC. Only applies to newly generated keys.
    The bit length can be specified with <strong>-b, --bits</strong>.
</p>
</dd>
<dt class="hdlist1">
<strong>-v, --verbose</strong>
</dt>
<dd>
<p>
    By default <strong>uacme</strong> only produces output upon errors or when user
    interaction is required. When this option is specified <strong>uacme</strong>
    prints information about what is going on on stderr. This option
    can be specified more than once to increase verbosity.
</p>
</dd>
<dt class="hdlist1">
<strong>-V, --version</strong>
</dt>
<dd>
<p>
    Print program version on stderr and exit.
</p>
</dd>
<dt class="hdlist1">
<strong>-y, --yes</strong>
</dt>
<dd>
<p>
    Autoaccept ACME server terms (if any) upon new account creation.
</p>
</dd>
<dt class="hdlist1">
<strong>-?, --help</strong>
</dt>
<dd>
<p>
    Print a brief usage text on stderr and exit.
</p>
</dd>
</dl></div>
</div>
</div>
<div class="sect1">
<h2 id="_usage">USAGE</h2>
<div class="sectionbody">
<div class="dlist"><dl>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>new</strong> [<em>EMAIL</em>]
</dt>
<dd>
<p>
    Create a new ACME account with optional <em>EMAIL</em> contact. If the
    account private key does not exist at <em>CONFDIR/private/key.pem</em>
    a new key is generated unless <strong>-n, --never-create</strong> is specified.
    A valid account must be created <strong>before</strong> any other operation can
    succeed (with the exception of certificate revocation requests
    signed by the certificate private key).
    Any certificate issued by the ACME server is associated with a
    single account. An account can be associated with multiple
    certificates, subject of course to the rate limits imposed by the
    ACME server.
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>update</strong> [<em>EMAIL</em>]
</dt>
<dd>
<p>
    Update the <em>EMAIL</em> associated with the ACME account corresponding to
    the account private key. If <em>EMAIL</em> is not specified the account
    contact email is removed.
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>deactivate</strong>
</dt>
<dd>
<p>
    Deactivate the ACME account corresponding to the account private
    key. <strong>WARNING</strong> this action is irreversible. Users may wish to do
    this when the account key is compromised or decommissioned.
    A deactivated account can no longer request certificate issuances
    and revocations or access resources related to the account.
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>newkey</strong>
</dt>
<dd>
<p>
    Change the ACME account private key. If the new account private
    key does not exist at <em>CONFDIR/private/newkey.pem</em> it is generated
    unless <strong>-n, --never-create</strong> is specified. The new key is then
    submitted to the server and if the operation succeeds the old key
    is hardlinked to <em>CONFDIR/private/key-TIMESTAMP.pem</em> before
    renaming <em>CONFDIR/private/newkey.pem</em> to <em>CONFDIR/private/key.pem</em>.
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>issue</strong> <em>IDENTIFIER</em> [<em>ALTNAME</em> &#8230;]
</dt>
<dd>
<p>
    Issue a certificate for <em>IDENTIFIER</em> with zero or more <em>ALTNAMEs</em>.
    If a certificate is already available at <em>CONFDIR/IDENTIFIER/cert.pem</em>
    for the specified <em>IDENTIFIER</em> and <em>ALTNAMEs</em> and is still valid for
    longer than <em>DAYS</em> no action is taken unless <strong>-f, --force</strong> is specified
    or <strong>-o, --no-ocsp</strong> is <strong>not</strong> specified and the certificate is reported
    as revoked by the OCSP server.  The new certificate is saved to
    <em>CONFDIR/IDENTIFIER/cert.pem</em>.  If the certificate file already exists
    it is hardlinked to <em>CONFDIR/IDENTIFIER/cert-TIMESTAMP.pem</em> before
    overwriting.  The private key for the certificate is loaded from
    <em>CONFDIR/private/IDENTIFIER/key.pem</em>. If no such file exists,
    a new key is generated unless <strong>-n, --never-create</strong> is specified.
    Wildcard <em>IDENTIFIERs</em> or <em>ALTNAMEs</em> are dealt with correctly, as long
    as the ACME server supports them; note that any such wildcards are
    automatically removed from the configuration subdirectory name:
    for example a certificate for <em>*.test.com</em> is saved to
    <em>CONFDIR/test.com/cert.pem</em>.
    IP address <em>IDENTIFIERs</em> and <em>ALTNAMEs</em> are also supported according to
    <a href="https://tools.ietf.org/html/rfc8738#section-3">https://tools.ietf.org/html/rfc8738#section-3</a>
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>issue</strong> <em>CSRFILE</em>
</dt>
<dd>
<p>
    Issue a certificate based on a RFC2986 Certificate Signing Request
    contained in <em>CSRFILE</em>, which must be in PEM format. In this mode
    of issuance <strong>uacme</strong> neither needs nor generates the certificate private
    key, but it is of course the responsibility of the user to ensure that
    the CSR is constructed and signed appropriately.
    If a certificate file <em>CSRBASE-cert.pem</em> (where <em>CSRBASE</em> is obtained
    by stripping the extension, if any, from <em>CSRFILE</em>) is already available
    in the same directory containing <em>CSRFILE</em>, and is still valid for longer
    than <em>DAYS</em> no action is taken unless <strong>-f, --force</strong> is specified or
    <strong>-o, --no-ocsp</strong> is <strong>not</strong> specified and the certificate is reported as
    revoked by the OCSP server.  If the certificate file already exists it
    is hardlinked to <em>BASENAME-cert-TIMESTAMP.pem</em> before overwriting.
    Wildcard identifiers in the CSR are dealt with correctly, as long as
    the ACME server supports them.  IP addresses are also supported
    according to <a href="https://tools.ietf.org/html/rfc8738#section-3">https://tools.ietf.org/html/rfc8738#section-3</a>
</p>
</dd>
<dt class="hdlist1">
<strong>uacme</strong> [<em>OPTIONS</em> &#8230;] <strong>revoke</strong> <em>CERTFILE</em> [<em>CERTKEYFILE</em>]
</dt>
<dd>
<p>
    Revoke the certificate stored in <em>CERTFILE</em>. The revocation request
    is signed with the private key of either the certificate, when
    <em>CERTKEYFILE</em> is specified; or the ACME account associated with the
    certificate, when only <em>CERTFILE</em> is specified. In the first instance
    the account key and the configuration directory are not required.
    If successful <em>CERTFILE</em> is renamed to <em>revoked-TIMESTAMP.pem</em>.
</p>
</dd>
</dl></div>
</div>
</div>
<div class="sect1">
<h2 id="_exit_status">EXIT STATUS</h2>
<div class="sectionbody">
<div class="dlist"><dl>
<dt class="hdlist1">
<strong>0</strong>
</dt>
<dd>
<p>
    Success
</p>
</dd>
<dt class="hdlist1">
<strong>1</strong>
</dt>
<dd>
<p>
    Certificate not reissued because it is still current
</p>
</dd>
<dt class="hdlist1">
<strong>2</strong>
</dt>
<dd>
<p>
    Failure (syntax or usage error; configuration error;
    processing failure; unexpected error).
</p>
</dd>
</dl></div>
</div>
</div>
<div class="sect1">
<h2 id="_example_hook_script">EXAMPLE HOOK SCRIPT</h2>
<div class="sectionbody">
<div class="paragraph"><p>The <em>uacme.sh</em> hook script included in the distribution can be used
to automate the certificate issuance with <em>http-01</em> challenges,
provided a web server for the domain being validated runs on the
same machine, with webroot at /var/www</p></div>
<div class="literalblock">
<div class="content monospaced">
<pre>#!/bin/sh
CHALLENGE_PATH=/var/www/.well-known/acme-challenge
ARGS=5
E_BADARGS=85</pre>
</div></div>
<div class="literalblock">
<div class="content monospaced">
<pre>if test $# -ne "$ARGS"
then
    echo "Usage: $(basename "$0") method type ident token auth" 1&gt;&amp;2
    exit $E_BADARGS
fi</pre>
</div></div>
<div class="literalblock">
<div class="content monospaced">
<pre>METHOD=$1
TYPE=$2
IDENT=$3
TOKEN=$4
AUTH=$5</pre>
</div></div>
<div class="literalblock">
<div class="content monospaced">
<pre>case "$METHOD" in
    "begin")
        case "$TYPE" in
            http-01)
                echo -n "${AUTH}" &gt; "${CHALLENGE_PATH}/${TOKEN}"
                exit $?
                ;;
            *)
                exit 1
                ;;
        esac
        ;;
    "done"|"failed")
        case "$TYPE" in
            http-01)
                rm "${CHALLENGE_PATH}/${TOKEN}"
                exit $?
                ;;
            *)
                exit 1
                ;;
        esac
        ;;
    *)
        echo "$0: invalid method" 1&gt;&amp;2
        exit 1
esac</pre>
</div></div>
</div>
</div>
<div class="sect1">
<h2 id="_bugs">BUGS</h2>
<div class="sectionbody">
<div class="paragraph"><p>If you believe you have found a bug, please create a new issue
at <a href="https://github.com/ndilieto/uacme/issues">https://github.com/ndilieto/uacme/issues</a> with any applicable
information.</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>ualpn</strong>(1)</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_author">AUTHOR</h2>
<div class="sectionbody">
<div class="paragraph"><p><strong>uacme</strong> was written by Nicola Di Lieto</p></div>
</div>
</div>
<div class="sect1">
<h2 id="_copyright">COPYRIGHT</h2>
<div class="sectionbody">
<div class="paragraph"><p>Copyright &#169; 2019-2021 Nicola Di Lieto &lt;<a href="mailto:nicola.dilieto@gmail.com">nicola.dilieto@gmail.com</a>&gt;</p></div>
<div class="paragraph"><p>This file is part of <strong>uacme</strong>.</p></div>
<div class="paragraph"><p><strong>uacme</strong> is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.</p></div>
<div class="paragraph"><p><strong>uacme</strong> is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
General Public License for more details.</p></div>
<div class="paragraph"><p>You should have received a copy of the GNU General Public License
along with this program.  If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.</p></div>
</div>
</div>
</div>
<div id="footnotes"><hr></div>
<div id="footer">
<div id="footer-text">
Version 1.7<br>
Last updated
 2021-01-17 16:52:15 CET
</div>
</div>
</body>
</html>
